CPS 234 – Information Security - AWS User Guide to Financial Services Regulations and Guidelines in Australia

CPS 234 – Information Security

CPS 234 outlines the measures ARIs should take to be resilient against information security incidents (including cyber-attacks). CPS 234 requires ARIs to maintain an information security capability commensurate with information security vulnerabilities and threats. CPS 234 defines an information security incident as an actual or potential compromise of information security.

A key objective is to minimize the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information assets, including information assets managed by related parties or third parties. Key requirements of CPS 234 include that an ARI must:

  • Clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals.

  • Maintain an information security capability commensurate with the size and extent of threats to its information assets, which enables the continued sound operation of the ARI.

  • Implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets and undertake systematic testing and assurance regarding the effectiveness of those controls.

  • Notify APRA of material information security incidents.

AWS published the AWS Workbook for the APRA CPG 234 available through AWS Artifact to support AWS customers as they work to meet applicable CPS 234 requirements and CPG 234 observations. The workbook is intended as a reference and supporting document to assist ARIs in their own preparation for a compliance review with APRA. Where applicable, under the AWS shared responsibility model, the workbook provides supporting AWS details and references to assist ARIs when adapting CPG 234 for their workloads on AWS.

To assist in meeting the CPS 234 requirements and CPG 234 observations, we recommend referring to APRA's CPG 234, APRA's August 2024 letter on Additional insights on common cyber resilience weaknesses and APRA's June 2024 letter on Security and adequacy of backups.

See Appendix 1: Key aspects of APRA CPS234 for a summary of key aspects for CPS 234, and Appendix 2: Key aspects of CPG 234 for key aspects of CPG 234.